Sign upLogin

rastating/wordpress-exploit-framework

View on GitHub
Star

Showing 338 of 338 total issues

Use the new Ruby 1.9 hash syntax.
Open

        :col_sep => delimiter,
Severity: Minor
Found in lib/wpxf/modules/auxiliary/hash_dump/ultimate_csv_importer_user_extract.rb by rubocop

This cop checks hash literal syntax.

It can enforce either the use of the class hash rocket syntax or the use of the newer Ruby 1.9 syntax (when applicable).

A separate offense is registered for each problematic pair.

The supported styles are:

  • ruby19 - forces use of the 1.9 syntax (e.g. {a: 1}) when hashes have all symbols for keys
  • hash_rockets - forces use of hash rockets for all hashes
  • nomixedkeys - simply checks for hashes with mixed syntaxes
  • ruby19nomixed_keys - forces use of ruby 1.9 syntax and forbids mixed syntax hashes

Example: EnforcedStyle: ruby19 (default)

# bad
{:a => 2}
{b: 1, :c => 2}

# good
{a: 2, b: 1}
{:c => 2, 'd' => 2} # acceptable since 'd' isn't a symbol
{d: 1, 'e' => 2} # technically not forbidden

Example: EnforcedStyle: hash_rockets

# bad
{a: 1, b: 2}
{c: 1, 'd' => 5}

# good
{:a => 1, :b => 2}

Example: EnforcedStyle: nomixedkeys

# bad
{:a => 1, b: 2}
{c: 1, 'd' => 2}

# good
{:a => 1, :b => 2}
{c: 1, d: 2}

Example: EnforcedStyle: ruby19nomixed_keys

# bad
{:a => 1, :b => 2}
{c: 2, 'd' => 3} # should just use hash rockets

# good
{a: 1, b: 2}
{:c => 3, 'd' => 4}

Prefer single-quoted strings when you don't need string interpolation or special symbols.
Open

    emit_success "Script stored and will be executed upon visiting /wp-admin/admin.php?page=wppa_manage_comments"
Severity: Minor
Found in lib/wpxf/modules/exploit/shell/photo_album_plus_xss_shell_upload.rb by rubocop

Checks if uses of quotes match the configured preference.

Example: EnforcedStyle: single_quotes (default)

# bad
"No special symbols"
"No string interpolation"
"Just text"

# good
'No special symbols'
'No string interpolation'
'Just text'
"Wait! What's #{this}!"

Example: EnforcedStyle: double_quotes

# bad
'Just some text'
'No special chars or interpolation'

# good
"Just some text"
"No special chars or interpolation"
"Every string in #{project} uses double_quotes"

Redundant return detected.
Open

      return Utility::Text.md5(ec_password)
Severity: Minor
Found in lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb by rubocop

This cop checks for redundant return expressions.

Example:

def test
  return something
end

def test
  one
  two
  three
  return something
end

It should be extended to handle methods whose body is if/else or a case expression with a default branch.

Use match? instead of =~ when MatchData is not used.
Open

    if res.body =~ /^0$/
Severity: Minor
Found in lib/wpxf/modules/exploit/shell/revslider_shell_upload.rb by rubocop

In Ruby 2.4, String#match?, Regexp#match? and Symbol#match? have been added. The methods are faster than match. Because the methods avoid creating a MatchData object or saving backref. So, when MatchData is not used, use match? instead of match.

Example:

# bad
def foo
  if x =~ /re/
    do_something
  end
end

# bad
def foo
  if x.match(/re/)
    do_something
  end
end

# bad
def foo
  if /re/ === x
    do_something
  end
end

# good
def foo
  if x.match?(/re/)
    do_something
  end
end

# good
def foo
  if x =~ /re/
    do_something(Regexp.last_match)
  end
end

# good
def foo
  if x.match(/re/)
    do_something($~)
  end
end

# good
def foo
  if /re/ === x
    do_something($~)
  end
end

Redundant return detected.
Open

    return true
Severity: Minor
Found in lib/wpxf/modules/exploit/shell/revslider_shell_upload.rb by rubocop

This cop checks for redundant return expressions.

Example:

def test
  return something
end

def test
  one
  two
  three
  return something
end

It should be extended to handle methods whose body is if/else or a case expression with a default branch.

Prefer single-quoted strings when you don't need string interpolation or special symbols.
Open

    emit_success "Script stored and will be executed when a user views a page"
Severity: Minor
Found in lib/wpxf/modules/exploit/xss/stored/universal_analytics_authenticated_xss_shell_upload.rb by rubocop

Checks if uses of quotes match the configured preference.

Example: EnforcedStyle: single_quotes (default)

# bad
"No special symbols"
"No string interpolation"
"Just text"

# good
'No special symbols'
'No string interpolation'
'Just text'
"Wait! What's #{this}!"

Example: EnforcedStyle: double_quotes

# bad
'Just some text'
'No special chars or interpolation'

# good
"Just some text"
"No special chars or interpolation"
"Every string in #{project} uses double_quotes"

Avoid comma after the last item of an array.
Open

        ['URL', 'https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=1340918%40universal-analytics%2Ftrunk%2Funiversalanalytics.php&old=910037%40universal-analytics%2Ftrunk%2Funiversalanalytics.php'],
Severity: Minor
Found in lib/wpxf/modules/exploit/xss/stored/universal_analytics_authenticated_xss_shell_upload.rb by rubocop

This cop checks for trailing comma in array and hash literals.

Example: EnforcedStyleForMultiline: consistent_comma

# bad
a = [1, 2,]

# good
a = [
  1, 2,
  3,
]

# good
a = [
  1,
  2,
]

Example: EnforcedStyleForMultiline: comma

# bad
a = [1, 2,]

# good
a = [
  1,
  2,
]

Example: EnforcedStyleForMultiline: no_comma (default)

# bad
a = [1, 2,]

# good
a = [
  1,
  2
]

Redundant return detected.
Open

      return wordpress_js_create_user
Severity: Minor
Found in lib/wpxf/modules/exploit/xss/stored/admin_management_xtended_xss_shell_upload.rb by rubocop

This cop checks for redundant return expressions.

Example:

def test
  return something
end

def test
  one
  two
  three
  return something
end

It should be extended to handle methods whose body is if/else or a case expression with a default branch.

Prefer single-quoted strings when you don't need string interpolation or special symbols.
Open

    emit_success "Script stored and will be executed when a user views the post"
Severity: Minor
Found in lib/wpxf/modules/exploit/xss/stored/admin_management_xtended_xss_shell_upload.rb by rubocop

Checks if uses of quotes match the configured preference.

Example: EnforcedStyle: single_quotes (default)

# bad
"No special symbols"
"No string interpolation"
"Just text"

# good
'No special symbols'
'No string interpolation'
'Just text'
"Wait! What's #{this}!"

Example: EnforcedStyle: double_quotes

# bad
'Just some text'
'No special chars or interpolation'

# good
"Just some text"
"No special chars or interpolation"
"Every string in #{project} uses double_quotes"

Unused block argument - res. You can omit the argument if you don't care about it.
Open

      queue_request(opts) do |res|
Severity: Minor
Found in lib/wpxf/modules/auxiliary/dos/long_password_dos.rb by rubocop

This cop checks for unused block arguments.

Example:

# bad

do_something do |used, unused|
  puts used
end

do_something do |bar|
  puts :foo
end

define_method(:foo) do |bar|
  puts :baz
end

Example:

#good

do_something do |used, _unused|
  puts used
end

do_something do
  puts :foo
end

define_method(:foo) do |_bar|
  puts :baz
end

Unnecessary spacing detected.
Open

        'rastating'  # WPXF module
Severity: Minor
Found in lib/wpxf/modules/exploit/shell/tevolution_shell_upload.rb by rubocop

This cop checks for extra/unnecessary whitespace.

Example:

# good if AllowForAlignment is true
name      = "RuboCop"
# Some comment and an empty line

website  += "/bbatsov/rubocop" unless cond
puts        "rubocop"          if     debug

# bad for any configuration
set_app("RuboCop")
website  = "https://github.com/bbatsov/rubocop"

Redundant return detected.
Open

      return ec_password
Severity: Minor
Found in lib/wpxf/modules/exploit/shell/easy_cart_shell_upload.rb by rubocop

This cop checks for redundant return expressions.

Example:

def test
  return something
end

def test
  one
  two
  three
  return something
end

It should be extended to handle methods whose body is if/else or a case expression with a default branch.

Unnecessary spacing detected.
Open

        'rastating'  # Disclosure + WPXF module
Severity: Minor
Found in lib/wpxf/modules/exploit/xss/stored/dwnldr_xss_shell_upload.rb by rubocop

This cop checks for extra/unnecessary whitespace.

Example:

# good if AllowForAlignment is true
name      = "RuboCop"
# Some comment and an empty line

website  += "/bbatsov/rubocop" unless cond
puts        "rubocop"          if     debug

# bad for any configuration
set_app("RuboCop")
website  = "https://github.com/bbatsov/rubocop"

Prefer single-quoted strings when you don't need string interpolation or special symbols.
Open

      items = doc.xpath("//ul//li")
Severity: Minor
Found in lib/wpxf/modules/auxiliary/info/download_manager_directory_listing_disclosure.rb by rubocop

Checks if uses of quotes match the configured preference.

Example: EnforcedStyle: single_quotes (default)

# bad
"No special symbols"
"No string interpolation"
"Just text"

# good
'No special symbols'
'No string interpolation'
'Just text'
"Wait! What's #{this}!"

Example: EnforcedStyle: double_quotes

# bad
'Just some text'
'No special chars or interpolation'

# good
"Just some text"
"No special chars or interpolation"
"Every string in #{project} uses double_quotes"

Line is too long. [188/180]
Open

        var body = "action=&package-hash=#{package_hash}&package-name=#{package_name}&package-notes=&archive-format=ZIP&filter-dirs=&filter-exts=&dbhost=&dbport=&dbname=&dbuser=&url-new=";
Severity: Minor
Found in lib/wpxf/modules/auxiliary/file_download/duplicator_csrf_db_export.rb by rubocop

Use the new Ruby 1.9 hash syntax.
Open

        :converters => [:all, :blank_to_nil]
Severity: Minor
Found in lib/wpxf/modules/auxiliary/hash_dump/ultimate_csv_importer_user_extract.rb by rubocop

This cop checks hash literal syntax.

It can enforce either the use of the class hash rocket syntax or the use of the newer Ruby 1.9 syntax (when applicable).

A separate offense is registered for each problematic pair.

The supported styles are:

  • ruby19 - forces use of the 1.9 syntax (e.g. {a: 1}) when hashes have all symbols for keys
  • hash_rockets - forces use of hash rockets for all hashes
  • nomixedkeys - simply checks for hashes with mixed syntaxes
  • ruby19nomixed_keys - forces use of ruby 1.9 syntax and forbids mixed syntax hashes

Example: EnforcedStyle: ruby19 (default)

# bad
{:a => 2}
{b: 1, :c => 2}

# good
{a: 2, b: 1}
{:c => 2, 'd' => 2} # acceptable since 'd' isn't a symbol
{d: 1, 'e' => 2} # technically not forbidden

Example: EnforcedStyle: hash_rockets

# bad
{a: 1, b: 2}
{c: 1, 'd' => 5}

# good
{:a => 1, :b => 2}

Example: EnforcedStyle: nomixedkeys

# bad
{:a => 1, b: 2}
{c: 1, 'd' => 2}

# good
{:a => 1, :b => 2}
{c: 1, d: 2}

Example: EnforcedStyle: ruby19nomixed_keys

# bad
{:a => 1, :b => 2}
{c: 2, 'd' => 3} # should just use hash rockets

# good
{a: 1, b: 2}
{:c => 3, 'd' => 4}

Redundant return detected.
Open

    return true
Severity: Minor
Found in lib/wpxf/modules/exploit/shell/n_media_website_contact_form_shell_upload.rb by rubocop

This cop checks for redundant return expressions.

Example:

def test
  return something
end

def test
  one
  two
  three
  return something
end

It should be extended to handle methods whose body is if/else or a case expression with a default branch.

Redundant return detected.
Open

    return true
Severity: Minor
Found in lib/wpxf/modules/exploit/shell/simplecart_shell_upload.rb by rubocop

This cop checks for redundant return expressions.

Example:

def test
  return something
end

def test
  one
  two
  three
  return something
end

It should be extended to handle methods whose body is if/else or a case expression with a default branch.

Use (complete_requests % 10).zero? instead of complete_requests % 10 == 0.
Open

        emit_warning("#{complete_requests} requests executed") if complete_requests % 10 == 0
Severity: Minor
Found in lib/wpxf/modules/auxiliary/dos/long_password_dos.rb by rubocop

This cop checks for usage of comparison operators (==, >, <) to test numbers as zero, positive, or negative. These can be replaced by their respective predicate methods. The cop can also be configured to do the reverse.

The cop disregards #nonzero? as it its value is truthy or falsey, but not true and false, and thus not always interchangeable with != 0.

The cop ignores comparisons to global variables, since they are often populated with objects which can be compared with integers, but are not themselves Interger polymorphic.

Example: EnforcedStyle: predicate (default)

# bad

foo == 0
0 > foo
bar.baz > 0

# good

foo.zero?
foo.negative?
bar.baz.positive?

Example: EnforcedStyle: comparison

# bad

foo.zero?
foo.negative?
bar.baz.positive?

# good

foo == 0
0 > foo
bar.baz > 0

Prefer single-quoted strings when you don't need string interpolation or special symbols.
Open

                 ";s:4:\"WC2W\";s:0:\"\";}"
Severity: Minor
Found in lib/wpxf/modules/auxiliary/misc/simple_ads_manager_sql_injection.rb by rubocop

Checks if uses of quotes match the configured preference.

Example: EnforcedStyle: single_quotes (default)

# bad
"No special symbols"
"No string interpolation"
"Just text"

# good
'No special symbols'
'No string interpolation'
'Just text'
"Wait! What's #{this}!"

Example: EnforcedStyle: double_quotes

# bad
'Just some text'
'No special chars or interpolation'

# good
"Just some text"
"No special chars or interpolation"
"Every string in #{project} uses double_quotes"
Severity
Category
Status
Source
Language